AWS Config is a service which helps to keep track on resources deployed and associated along with an AWS account.
It monitors on configurations based on rules, their relationships to other entities and resources and how those – if – over time.
The Dashboard itself provides a timeline which represents which changes got tracked over time and when a resource either became compliant or noncompliant.
Configuring AWS Config
Resource types to record
Select “All resource” to be able to get any changes tracked
In my case I had a bucket available already. Otherwise AWS Config can get created one. The syntax will be “config-bucket-<account-id>/<prefix>/AWSLogs”
An added SNS topic will help to get other resources notified on changes. The SNS topic also can be used to get automations created to let automated remediations solve a noncompliant status or invoke something else in case a compliance state would be triggered. For the sake of convenience the SNS topic created in this example will have an email subscription.
As with any resource at AWS that is configured to execute on-behalf it needs to be allowed by a role. AWS Config provides an existing service-linked role which adds some convenience.
Rules will provide the actual monitoring rule that is going to be executed to track a noncompliant or compliant status.
In this case 2 pre-configured rules will be added to the configuration:
This rule monitors if EC2 instances in the AWS account have been configured with an EBS optimized instance option. Though AWS seem to more and more get instances provided where EBS optimization is just enabled and turning on/off no longer makes a difference.
This (as well) pre-configured AWS Config rule monitors if a given EC2 instance has the option for detailed monitoring enabled. It might be desired to have detailed monitoring enabled so an automated remediation could be implemented to let AWS Config take a correction action in case of a noncompliant finding. (please watch out costs for monitoring otherwise as well)
AWS Config Timeline
Once everything is configured and first iterations for compliance tracking are executed by the AWS Config service a Timeline can be opened up to visualize the configuration status on a given resource over time.
The timeline as well can be drilled into to see what changes occurred during a compliance or noncompliance finding.